Michael White – CCIE #26626

Menu

Collab Edge MRA for 7800/8800/DX Series Endpoints

Cisco recently posted Expressway (and VCS) X8.5.2 and 10.3.1 firmware for the 8800 and 7800 series phones. The combination of these products allows these phones to register remotely to CUCM utilizing Collaboration Edge MRA. (The DX-series (650/70/80) is expected to support MRA in the next release of code due out shortly.)

This functionality isn’t TAC supported yet, and has been released in a “feature preview” form. I’ve set it up and tested it and it works well for the most part. However, there is not full feature parity for a phone registered via MRA vs directly registered to CUCM, but for testing and basic calls, it works well.

In order to set it up, make sure your Expressway MRA deployment for Jabber is working properly. MRA for the 7800/800 series phones uses the same service discovery process that Jabber uses, so if you have Jabber working, you’ll have 95% of the work done.

One important piece of information to know is that the phone firmware trusts 100+ public root CA certificates. If your Expressway-E server does not have a certificate signed by one of these CA’s it’s not going to work for the phones.

Logged in to Jabber via MRA to ensure the correct functionality of my MRA system and my login credentials.

Defined the phone in CUCM and then connected the phone directly to CUCM so that it would pull the version of firmware that supports MRA. (My 8851 phone shipped with an older version of code that did not have MRA support.)

Took the phone off of the corporate network to an internet-access only network.

I had initial problems with the phone not attempting MRA lookup after being connected to the internet-only network, so I followed the troubleshooting process of resetting the Network settings on the phone. It then started to try the MRA process.

2) Firmware now prompts for MRA credentials (These would be the same credentials you use for Jabber MRA login — in my case it is set to use LDAP/AD for authentication):

Phone now attemps _collab-edge._tls.domain.com service record lookup (like Jabber does) to discover the Expressway-E/VCS-E host.

3) Phone completes MRA login process

The phone is now registered and usable.

I’ve read conflicting information about the number of calls supported, and number of lines supported via MRA. In my experience I have two lines on the phone registered and am able to make two calls per line. (I’ve not tested more than two calls per line.) The list of features that may work or not is extensive, so be careful as things like Barge or Intercom may not work yet.

The phone also upgraded code via MRA successfully which is good to know.

I’ve noticed some oddities with on-hook vs. off-hook dialing. I know there are some limitations around KPML currently. In my experience it seems to off-hook dial fine on the primary line, but on a secondary line or when attempting a second call on the primary line you MUST on-hook dial.

Phone registration isn’t supported via TAC yet so feel free to post here and we can collectively attempt to assist. Remember the most basic step to troubleshoot is to see if your Jabber can successfully login.

94 thoughts on “Collab Edge MRA for 7800/8800/DX Series Endpoints”

Great to see someone try this and share findings in detail! especially the user experience of how it works (i half expected it to ask for email and figure out the service discovery domain but i can see it has to be input manually). Wondering if MWI and CTI work via MRA?

MWI and missed call logs do work (just tested it). CTI doesn’t work yet. On-hook vs. Off-hook dialing is also hit and miss. I think the official word is that you are supposed to on-hook dial everything because of KPML support issues.

For Jabber MRA is working fine, but I am trying register 7841 using MRA not working, I mean not getting MRA sign-in screen in IP Phone, do I need to any additional config in cucm ? I am using sip78xx.10-3-1-12 firmware version.

Thanks a lot Michael, Question…what happends if a root CA is not on the list, can I install a root certificate on the phone? And another question is I see that you need to login with the end user like jabber but the associated end user with that phone need to be enabled for IM & P if we only want to register the phone? Thanks a lot.

Hey Mike,
First of all, thanks for sharing this, as you mentioned, Cisco TAC is not supporting this yet and Cisco 8841 doc for Expressway, looks limited.
We are facing the same issue as Arvind – when we connect the 8841 phone outside, it doesn’t prompt for login (as shows on the second picture), phone stays all the time like the first pic.
I’ve seen the info regarding the Network reset when changing from inside to outside environment, tried that many times, but no luck.
The firmware we have on the phone is 10.3.1.20, which came already with, and it’s the only 8841 10.3 firmware available for download, so I think we are ok on this part.
Any tip/help would be greatly appreciated.
Regards,

Does your DHCP scope provide a DNS server and no option 150 TFTP? I had to double-check that on mine. We need DNS for the service discovery process, and we don’t want TFTP. 10.3.1(20) is the code I’m using successfully. Let me know what you find there.

Hi Mike,
Thanks so much for your reply – even though the alternate tftp was set to off, the fact that the tftp server field had an IP address, it was blocking the phone to start on Expressway mode. I could bypass this by setting the dhcp to off and erase the tftp field manually – after phone reboot, it finally showed login screen.
The problem now is, the phone is trying to register but it doesn’t go through – phone has CUCM certificates as I made it register internally first.
Just to confirm: does it need to have VCS-E CA certificate by any chance?
Best Regards,

I’m going to bet that the VCS-E cert has to be signed by a CA that is on the trusted list of the phone firmware. I didn’t have any problem with this when I deployed mine. (GoDaddy is the CA I used.) You should be able to generate a problem report on the phone (I forget where it is on the phone menu system, but there is an option) and send that to yourself and see the exact reason the phone is failing.

I only sorted this tonight and our cert was an issue
I created an internal cert when I was initially testing mra and I installed the cert on all my remote sx devices. I bought (grudingly) a public cert a few days go whilst testing.
As mentioned, no prompt was coming up.

Things I did were
1. Removed all my internal certs and reset to default ca on both vcs-c and e.
2. I lost the traversal zone as the cert wasnt known now.
3. I also had the traversal zone set to 7002 and changed to 7001
4. Put in the public cert and also readded my private certs to each box
5. Restarted boxes
6. Went into the cert test tool to check the zone and did a test which initially failed until I changed the port from 7002 to 7001 as mentioned before
7. I had my phone set using static ips so I manually removed the tftp. Of course I was now off the internal network
8. Phone advised that it will erase the trust list as well
9. Once that did it I was able to get the prompt and login.

I’ve got this working on Expressway 8.5.2 and UCM 9.1.2 code. We’ve had MRA for Jabber working for ages so there wasn’t any configuration required to get this working.

Seems to work well enough, although there is a problem where the phone will randomly log out/unregister when connection via MRA. Looking into the problem report now, but it might be a function of the 9.1.2 code.

I’ve noticed the same thing. My 8851 gets logged out every 24 hours or so. I’m not sure if this is a firewall TCP session timeout thing between the phone and Exp-E, or soemthing Expressway/VCS related. I’d be curious to know what other people are seeing too.

Yeah I’m planning to spend some more time and check out the PR next week, and hope that it has something useful in there. There’s also an annoying bug where when it does unregister, you have to delete your password and enter it again, even though it appears on the screen to be cached.

Configure User Credentials Persistent for Expressway Sign-In
When signing in to the network with Mobile and Remote Access Through Expressway, a user is prompted for a service domain, username, and password. If you enable the User Credentials Persistent for Expressway Sign-In parameter, you can store users’ login credentials so that they do not need to reenter this information. This parameter is disabled by default.
• Enable User Credentials Persistent for Expressway Sign-In for a Phone
• Enable User Credentials Persistent for Expressway Sign-In for Phone Group
• Enable User Credentials Persistent for Expressway Sign-In Across Network
Enable User Credentials Persistent for Expressway Sign-In for a Phone
“

I am having the same issues with Cisco 7821 series phones running in CUCM 9.1.2 and Expressway X8.5.2. The phone seems to logout after some time, maybe it’s 24 hours. Am wondering if anyone found the fix or where the settings are to change this.

I am having the same issue. I have a cisco 7821 registered over MRA and it logs out after about 24 hours. i could not find these setting anywhere. has anyone figured this out and where to make the changes if that is possible. I am running CUCM 9.1.2 and Expressway X8.5.2

Hi Mike,
I’m still troubleshooting as I couldn’t make my 8841 phone to register on Expressway mode.
Quick question: did you do an option 42 configuration on your DHCP scope, to make sure the phone had a NTP reference when outside?
Thanks very much again,

RMS is not required for MRA for phones. RMS is just for business-to-business calls.

A self-signed certificate will not work for Phone MRA. The Phone only has about 130 trusted public CA certificates, and your Expressway-E cert must be signed by one of these 130 or the phone won’t trust your Expressway and won’t register.

If you want to use the 88XX SIP phones, 8.5.3 is required, don’t think 8.5.1 works, only for jabber and eX/dx/mx presence endpoints. However, from the previous few deployment i had with my customer, the 8.5.2 and 3 is full of bugs, primary with disconnect and no longer able to log back in.. in most of the case, we have to roll back to 8.5.1. This suppose to be fixed in the soon release 8.6, see this link.

Phone security profile is needed on SAN of the C, see page 17 of the MRA deployment guide 8.5.. E’s SAN is for chat node alias. C’s SAN is only for phone security profile that’s fqdn and requires TLS. But that’s only between C and CUCM, unless you want to do TLS between C and CUCM ( why? cluster security mode to 1 in restrict cucm version), then there is really NO reason for you to use the TLS on the phone security profile, the standard none secure profile for any device will work. Hope this helps.

Make sure the CA cert for the 8841, it’s the signer’s cert, from the way you have discribed, should be the intermediate CA, no the root CA, so the “Symantec Class 3 Secure Server CA – G4” needs to be in the embedded firmware of the 8841, which i don’t see.

Any one have one way audio with the 8851 over MRA? I have a fully functional Jabber MRA system with public certs and using various clients. I can get the 8851 to register over the expressway but I get one way audio, I can sign in with jabber for mac on the same network and I get 2 way audio. I have jabber on my iphone and that works fine as well on LTE. I would have thought one way audio would be seen on all my devices not just the 8851. Im running 10.3.1.20 on the phone. I just started trouble shooting but wanted to see if anyone else has seen this.

Im having an issue where MRA for jabber is working 100% without issue… but the phone is failing to register. I get the MRA login and it says its connected to the expressway server… but than expressway throws an error about not being able to register the device due to unknown domain. Any idea’s?

I got passed this and got the phone working. However, it’s not using TLS for voice traffic (not a huge deal since the sip trunk to the PSTN is non secure anyway). Ideally I would like to get TLS working but if i change the phone security certificate to TLS on port 5061, i get the above results. the domain that is the name of the security profile is part of the SAN on the both expressway-e and expressway-c certs.

Is Jabber (Mac or J4W) over MRA supported while a 88xx is connected over MRA (both have same username and DN)? I recently got my 8851 working over MRA but noticed instability logging into my Jabber over MRA since then.

Just in case you didn’t figure this out already, this was a phone firmware bug. You can go to https:///edgestatushttpproxyrequests and sort by expire time to see one every 5 seconds. This was causing Collaboration Edge HTTP Intrusion Protection to kick in and block requests. It should be fixed in the 11.0 firmware release and above. Wasn’t able to find the bug link though.

Hey guys great blog….. Im trying to work with Expressway-E connecting 78xx and 88xx and I actually get connected just fine. However, after connecting a call it loses audio at the 15:00 mark consistently. Im running 10.5.2 on CUCM and the latest relase on the Exp E 8.6.

Hi Clarence, 15:00 sounds like a firewall issue to me. Look into SIP ALG/FIXUP and make sure the settings are correct. (Usually I see documentation saying to turn these features off.) The other issue I’ve seen in a SIP session timer setting in VCS/Expressway you can adjust. But 99% of the time I’ve seen this it’s the firewall dropping the session.

I upgraded to X8.7 recently. MRA is now officially TAC supported, but the release notes state that CTI is still not supported, although that doesn’t mean it might not work. I’ll test it out this weekend and let you know.

Hello all…wondering if someone can help me out. I am trying to do MRA Certificate based authentication on my 88xx. I am trying to avoid our users having to enter their password and close a security hole by having it remember the password. MRA works just fine for credential based authentication.

Hello everyone, I’m new to VoIP, SIP and all this fun stuff. I was wonder if the Cisco 8800 series phones can be used without expressway? Can it be configured to work on say, Vonage Business? Thanks in advance 🙂

Cisco sells a different versions of the 8800 series phones for use with non-Cisco SIP call control. I’m not sure if vonage would be supported, but anyone running standards based SIP would likely work. These phones are identical to normal 8800 series but with a different boot loader and firmware. A 8800 phone for Cisco call control can’t be converted for use with third party. You’ve got to buy the specific third party version.

Make sure it’s not on a network that has Option 150 being advertised. Press Settings, Reset all settings (or Reset network settings — something like that — I don’t have a DX650 in front of me). Then it will do the MRA discovery process.

Hello everyone,
When I plug my phone 8851 it register and ask for service domain, username and password. When I tried to input my password it select something different for instance I want to type 9 when I press the key before I select 9 something is already being selected. it looks like the selection is going too fast.

Hi Mike,
i hit the key multiple time to get to 9 same thing i am getting connecting on the phone screen stay there for a while and hung i unplug and restart again same thing. My jabber for mac and android are working fine using MRA but my 8851 still not connecting after i put my credentials. i can’t tell if it is my password selection i mentioned above is the issue. any help ?

We are just deploying this solution and have everything working fine, other than the fact that the phones seemingly randomly de-register. We have had network teams check Firewall’s etc, but nothing has been found. Was wandering whether anyone has suffered this?

When the de-registration occurs, it sometimes reboots the phones and sometimes prompts to logon with MRA creds (which are sometimes pre-populated and sometimes aren’t). Note, no local network (i.e. home broadband) failure is occurring at the same time as the de-registration event.

On each endpoint in CUCM make sure the Cache Expressway credentials is set on each device. It’s at the very bottom of the device page. I had a customer on 8.8.1 experiencing these deregistration issues but they hadn’t checked the remember credentials box. They rolled back to 8.7.3 and fixed it.

Anyone have the new 8821 wireless ip phone working with MRA. I have a phone that registers to cucm fine. I have EW working fine as other phones register via MRA. But when I clear the CTL and the ITL files I associate to a internet wifi with no opttions 150 I am never prompted with any MRA credentials. I am running sip8821.11-0-2hee-10

This may be a silly question, but I’ve stepped in as a new vendor to a customer that already has MRA up and working or Jabber clients. I am trying to get it going for 88XX series phones but am unsure what to put in for the services domain. I’ve tried “businessname”.com and it tells me the certificate isn’t valid (it’s working fine for Jabber clients). The expressway e name has underscores in it, for example – expressway_e@example.com. It wont let me put in an underscore in the name for the services domain.

So, my question is, is there a place in either CUCM or Expressway where the services domain is listed by name?

Thanks for all the info here – Question
Can a remote phone (8851’s) that is currently registering to the call manager via an ASA, be remotely configured to use MRA or does the phone itself have to be brought back onto the corporate network? I have a single phone and jabber working so i know the setup of the VCS’s is correct and working….

Once it has firmware that supports MRA you could push config from CUCM to enable credential caching but I don’t know how you’d push domain and user info to the phone. You’d likely have to walk the user through typing in their domain and creds on the phone. I haven’t seen if 11.7 or 12.x firmware would make this possible without user intervention.